+ Start a Discussion
Lucus Van BlaircumLucus Van Blaircum 

JIT Provisioning of Community users with SAML - endless redirect loop

Ok, so I hope someone has more knowledge in SSO than me (which is quite easy).

Problem:
I have a web app within which I want to provide a button to access the Support Community, no additional login/clicks required, as an authenticated user.

So, in essence, I'd like to create an IdP-initiated SSO flow for Salesforce communities.

[Attempted] Solution:
  • Activate community and enable "Allow external users to self-register"
  • Create endpoint within my web app that generates signed, encrypted SAML Response and uses HTML form to POST SAMLResponse & RelayState.
  • Create SAML SSO configuration in Salesforce with "User Provisioning Enabled" checked and "User Provisioning Type" set to Standard.
  • (I set "Identity Provder Login URL" to my SAML response endpoint; in IdP-initiated flow I did not think this mattered.)
  • Update my web app settings to reflect EntityID as Audience parameter, "Sysomos Community Login URL" as Recipient and POST Action URL, and set up issuer/cert to match configuration.
  • Update community login options to display only the above SAML configuration

Testing:
  • Log into web app and navigate directly to web app SAML endpoint (localhost:1302/SFDC/SAML)
  • Set breakpoint and grab SAMLResponse (signed and encrypted).
  • Test response using "SAML Assertion Validator" - Passes everything except "Unable to map the subject to a Salesforce.com user" which is expected.
  • Remove breakpoint and navigate back to web app SAML endpoint.
  • Allow execution to commence.
  • Page redirected to community login page which redirects to web app SAML endpoint which redirects to community login page and round and round we go.
  • Note: no errors are thrown at any point and no records are added to "Login History" in Setup.
So, my questions are:
  • As a SAML IdP is there supposed to be more than one SAML endpoint (say, that the login url in the SAML config should point to)? If so, what do the others do?
  • Given I am POSTing a valid SAMLResponse to the Community login URL, should it not provision the user requested and log them in?
I see in this question (https://developer.salesforce.com/forums?id=906F0000000BMZBIA4) Marcel dos Santos mentions "I've created a SSO configuration in Salesforce with login and logout URLs pointing to my application and provide a SAML response to Salesforce with the user identity" which I feel I've done, but then Salesforce commits this endless redirect...so I must have something messed up.

Any insight or advice is GREATLY appreciated...I've spent days pulling my hair out over this.
 
Best Answer chosen by Lucus Van Blaircum
Lucus Van BlaircumLucus Van Blaircum
Prasanna,

 
The redirects happen on both sides (both IdP and Salesforce). Here is call flow:
  1. User: Clicks "help" button - Executes GET /SFDC/SAML
  2. IdP: Creates SAML Response - returns HTML form with SAMLReponse and RelayState
  3. Form (from user's browser) - Executes POST https://{COMMUNITY}.force.com/success/login?so={ORGANIZATION_ID}&sc={CERTIFICATE_ID}
  4. Browser redirects to https://{COMMUNITY}.force.com/success/login?so={ORGANIZATION_ID}&sc={CERTIFICATE_ID}
  5. User clicks "Log In Using" {SSO CONFIG NAME}
  6. Salesforce - Executes POST /SFDC/SAML (which is the "Identity Provider Login URL" for the SSO setup)
The way I've written my IdP the POST/GET are the same call so (6) loops back to (2).

AND I'M AN IDIOT...

I wrote the above and has an epiphany. 
Two errors:
  1. ​In asp.net form inputs require the NAME attribute, not the ID attribute.
  2. In the SAML Assertion you must preface user attributes with User.
So it turns out that if you do it right Salesforce will not redirect you. SFDC was commiting the redirect because I was not shipping the SAMLResponse at all.

Thank you Prasanna for shaking loose the solution!
 

All Answers

_Prasu__Prasu_
Hi Lucas,

I will suggest you to check the URL redirects happening, is it keeping redirects on Salesforce URLs or its happening on IDP server itself?
From the description you have given I believe you have misconfiguration on the IDP side for Salesforce Endpoint URL for SAML.

Regards,
Prasanna
Lucus Van BlaircumLucus Van Blaircum
Prasanna,

 
The redirects happen on both sides (both IdP and Salesforce). Here is call flow:
  1. User: Clicks "help" button - Executes GET /SFDC/SAML
  2. IdP: Creates SAML Response - returns HTML form with SAMLReponse and RelayState
  3. Form (from user's browser) - Executes POST https://{COMMUNITY}.force.com/success/login?so={ORGANIZATION_ID}&sc={CERTIFICATE_ID}
  4. Browser redirects to https://{COMMUNITY}.force.com/success/login?so={ORGANIZATION_ID}&sc={CERTIFICATE_ID}
  5. User clicks "Log In Using" {SSO CONFIG NAME}
  6. Salesforce - Executes POST /SFDC/SAML (which is the "Identity Provider Login URL" for the SSO setup)
The way I've written my IdP the POST/GET are the same call so (6) loops back to (2).

AND I'M AN IDIOT...

I wrote the above and has an epiphany. 
Two errors:
  1. ​In asp.net form inputs require the NAME attribute, not the ID attribute.
  2. In the SAML Assertion you must preface user attributes with User.
So it turns out that if you do it right Salesforce will not redirect you. SFDC was commiting the redirect because I was not shipping the SAMLResponse at all.

Thank you Prasanna for shaking loose the solution!
 
This was selected as the best answer